Black Duck has been helping organizations find and fix vulnerabilities in their software for nearly a decade. And now it will be able to help them and the broader software industry even more.
The Black Duck Cybersecurity Research Center (CyRC), established in April 2019, now has the authority to identify and catalog newly discovered software vulnerabilities.
The Common Vulnerabilities and Exposures (CVE) Program has designated Black Duck a CVE Numbering Authority (CNA), enabling it to assign CVE identification numbers to newly discovered vulnerabilities and publish information about the vulnerabilities in the associated CVE records.
“We’re excited to take this next step in our progression as a good steward of the broader software ecosystem,” said Jason Schmitt, general manager of Black Duck.
“As a leader in application security, vulnerability research is part of our DNA. As a CNA, we can more effectively and efficiently disseminate the results of our research to our customers and the software community in general—for both newly discovered vulnerabilities and existing CVE records that may be inaccurate or incomplete.”
The CyRC has already discovered and contributed vulnerabilities to the CVE list, including CVE-2020-28052, an authentication bypass vulnerability in the OpenBSDBcrypt class of the widely used Java cryptography library Bouncy Castle, and CVE-2020-27223, a denial of service vulnerability in Eclipse Jetty, a widely used open source web server and servlet container.
Indeed, it’s hard to think of a better security concept than the CVE Program. It amounts to crowd-sourcing security.
The idea is that when a researcher or research group finds an exploitable flaw or bug in software or firmware, they notify a single organization—in this case the nonprofit, federally funded MITRE Corporation, which maintains a database in which each vulnerability is assigned an identification number.
That means thousands—maybe tens of thousands—of people pooling their research efforts to help everyone who uses software—which today is pretty much everybody.
In the 22 years since the CVE Program began, there has been a long-standing gap between the number of vulnerabilities discovered and those that received a CVE ID. That gap has been large enough—30% to 50%—for some critics to complain that organizations sometimes struggle to keep their software secure through the CVE database.
That’s in large measure because of the exponential growth in the creation and use of software, particularly open source. Chris Fearon, director of research engineering with Black Duck, noted that it’s tough for any organization to keep up with the explosive growth of vulnerabilities. “With increased adoption of open source software, it has become a target-rich landscape for attackers,” he said.
But MITRE has sought to address that gap by increasing the number of qualified CNAs through a federated model. Starting with an original 22 CNAs, there were 83 three years ago, and now they number at 158 in 26 countries.
Black Duck joins authorized commercial entities such as Linux, Red Hat, Google, and Microsoft as CNAs, which aim to close that gap.
And given that virtually every component of modern business is powered by software, the security of products, employee and customer records, online marketing, supply chains, financial records, and more depends on being able to identify and fix software vulnerabilities.
Since it began, more than 150,000 vulnerabilities have been identified and cataloged by the CVE Program—more than 17,000 in 2020 alone. The CVE Program also feeds into the National Vulnerability Database (NVD), launched in 2005 by the National Institute of Standards and Technology.
The NVD is a vulnerability database built upon and fully synchronized with the CVE list so that any updates to CVE appear immediately in the NVD.
“The identification and availability of accurate, timely vulnerability information is essential when protecting the software supply chain,” said Fearon.
“As we expand our vulnerability research and development efforts within CyRC, the direct nature of disclosing vulnerabilities as a CNA adds an increased level of transparency and speed to our research capabilities.”